elastic

package

v0.0.0-...-e81be6b Latest Latest Go to latest Published: Oct 12, 2023 License: GPL-2.0 Imports: 24 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/khulnasoft/khulnasoft-soc

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
func NewElasticTransport(user string, pass string, timeoutMs time.Duration, verifyCert bool) http.RoundTripper
type Elastic
- func NewElastic(srv *server.Server) *Elastic
type ElasticCasestore
- func NewElasticCasestore(srv *server.Server) *ElasticCasestore
type ElasticEventstore
- func NewElasticEventstore(srv *server.Server) *ElasticEventstore
type ElasticTransport
- func (transport *ElasticTransport) RoundTrip(req *http.Request) (*http.Response, error)
type FieldDefinition
type JobLookupHandler
- func NewJobLookupHandler(srv *server.Server, store *ElasticEventstore) *JobLookupHandler
- func (handler *JobLookupHandler) HandleNow(ctx context.Context, writer http.ResponseWriter, request *http.Request) (int, interface{}, error)

Constants ¶

View Source

const AUDIT_DOC_ID = "audit_doc_id"

View Source

const DEFAULT_ASYNC_THRESHOLD = 10

View Source

const DEFAULT_CACHE_MS = 86400000

View Source

const DEFAULT_CASE_ASSOCIATIONS_MAX = 1000

View Source

const DEFAULT_CASE_AUDIT_INDEX = "*:so-casehistory"

View Source

const DEFAULT_CASE_INDEX = "*:so-case"

View Source

const DEFAULT_CASE_SCHEMA_PREFIX = "so_"

View Source

const DEFAULT_DURATION_MS = 1800000

View Source

const DEFAULT_ES_SEARCH_OFFSET_MS = 1800000

View Source

const DEFAULT_INDEX = "*:so-*"

View Source

const DEFAULT_INTERVALS = 25

View Source

const DEFAULT_MAX_LOG_LENGTH = 1024

View Source

const DEFAULT_TIMEOUT_MS = 300000

View Source

const DEFAULT_TIME_SHIFT_MS = 120000

View Source

const LONG_STRING_MAX = 1000000

View Source

const MAX_ARRAY_ELEMENTS = 50

View Source

const MAX_ERROR_LENGTH = 4096

View Source

const SHORT_STRING_MAX = 100

Variables ¶

This section is empty.

Functions ¶

func NewElasticTransport ¶

func NewElasticTransport(user string, pass string, timeoutMs time.Duration, verifyCert bool) http.RoundTripper

Types ¶

type Elastic ¶

type Elastic struct {
	// contains filtered or unexported fields
}

func NewElastic ¶

func NewElastic(srv *server.Server) *Elastic

func (*Elastic) Init ¶

func (elastic *Elastic) Init(cfg module.ModuleConfig) error

func (*Elastic) IsRunning ¶

func (somodule *Elastic) IsRunning() bool

func (*Elastic) PrerequisiteModules ¶

func (elastic *Elastic) PrerequisiteModules() []string

func (*Elastic) Start ¶

func (elastic *Elastic) Start() error

func (*Elastic) Stop ¶

func (elastic *Elastic) Stop() error

type ElasticCasestore ¶

type ElasticCasestore struct {
	// contains filtered or unexported fields
}

func NewElasticCasestore ¶

func NewElasticCasestore(srv *server.Server) *ElasticCasestore

func (*ElasticCasestore) Create ¶

func (store *ElasticCasestore) Create(ctx context.Context, socCase *model.Case) (*model.Case, error)

func (*ElasticCasestore) CreateArtifact ¶

func (store *ElasticCasestore) CreateArtifact(ctx context.Context, artifact *model.Artifact) (*model.Artifact, error)

func (*ElasticCasestore) CreateArtifactStream ¶

func (store *ElasticCasestore) CreateArtifactStream(ctx context.Context, artifactstream *model.ArtifactStream) (string, error)

func (*ElasticCasestore) CreateComment ¶

func (store *ElasticCasestore) CreateComment(ctx context.Context, comment *model.Comment) (*model.Comment, error)

func (*ElasticCasestore) CreateRelatedEvent ¶

func (store *ElasticCasestore) CreateRelatedEvent(ctx context.Context, event *model.RelatedEvent) (*model.RelatedEvent, error)

func (*ElasticCasestore) DeleteArtifact ¶

func (store *ElasticCasestore) DeleteArtifact(ctx context.Context, id string) error

func (*ElasticCasestore) DeleteArtifactStream ¶

func (store *ElasticCasestore) DeleteArtifactStream(ctx context.Context, id string) error

func (*ElasticCasestore) DeleteComment ¶

func (store *ElasticCasestore) DeleteComment(ctx context.Context, id string) error

func (*ElasticCasestore) DeleteRelatedEvent ¶

func (store *ElasticCasestore) DeleteRelatedEvent(ctx context.Context, id string) error

func (*ElasticCasestore) GetArtifact ¶

func (store *ElasticCasestore) GetArtifact(ctx context.Context, id string) (*model.Artifact, error)

func (*ElasticCasestore) GetArtifactStream ¶

func (store *ElasticCasestore) GetArtifactStream(ctx context.Context, id string) (*model.ArtifactStream, error)

func (*ElasticCasestore) GetArtifacts ¶

func (store *ElasticCasestore) GetArtifacts(ctx context.Context, caseId string, groupType string, groupId string) ([]*model.Artifact, error)

func (*ElasticCasestore) GetCase ¶

func (store *ElasticCasestore) GetCase(ctx context.Context, id string) (*model.Case, error)

func (*ElasticCasestore) GetCaseHistory ¶

func (store *ElasticCasestore) GetCaseHistory(ctx context.Context, caseId string) ([]interface{}, error)

func (*ElasticCasestore) GetComment ¶

func (store *ElasticCasestore) GetComment(ctx context.Context, id string) (*model.Comment, error)

func (*ElasticCasestore) GetComments ¶

func (store *ElasticCasestore) GetComments(ctx context.Context, caseId string) ([]*model.Comment, error)

func (*ElasticCasestore) GetRelatedEvent ¶

func (store *ElasticCasestore) GetRelatedEvent(ctx context.Context, id string) (*model.RelatedEvent, error)

func (*ElasticCasestore) GetRelatedEvents ¶

func (store *ElasticCasestore) GetRelatedEvents(ctx context.Context, caseId string) ([]*model.RelatedEvent, error)

func (*ElasticCasestore) Init ¶

func (store *ElasticCasestore) Init(index string, auditIndex string, maxAssociations int, schemaPrefix string) error

func (*ElasticCasestore) Update ¶

func (store *ElasticCasestore) Update(ctx context.Context, socCase *model.Case) (*model.Case, error)

func (*ElasticCasestore) UpdateArtifact ¶

func (store *ElasticCasestore) UpdateArtifact(ctx context.Context, artifact *model.Artifact) (*model.Artifact, error)

func (*ElasticCasestore) UpdateComment ¶

func (store *ElasticCasestore) UpdateComment(ctx context.Context, comment *model.Comment) (*model.Comment, error)

type ElasticEventstore ¶

type ElasticEventstore struct {
	// contains filtered or unexported fields
}

func NewElasticEventstore ¶

func NewElasticEventstore(srv *server.Server) *ElasticEventstore

func (*ElasticEventstore) Acknowledge ¶

func (store *ElasticEventstore) Acknowledge(ctx context.Context, ackCriteria *model.EventAckCriteria) (*model.EventUpdateResults, error)

func (*ElasticEventstore) Delete ¶

func (store *ElasticEventstore) Delete(ctx context.Context, index string, id string) error

func (*ElasticEventstore) Index ¶

func (store *ElasticEventstore) Index(ctx context.Context, index string, document map[string]interface{}, id string) (*model.EventIndexResults, error)

func (*ElasticEventstore) Init ¶

func (store *ElasticEventstore) Init(hostUrl string,
	remoteHosts []string,
	user string,
	pass string,
	verifyCert bool,
	timeShiftMs int,
	defaultDurationMs int,
	esSearchOffsetMs int,
	timeoutMs int,
	cacheMs int,
	index string,
	asyncThreshold int,
	intervals int,
	maxLogLength int) error

func (*ElasticEventstore) PopulateJobFromDocQuery ¶

func (store *ElasticEventstore) PopulateJobFromDocQuery(ctx context.Context, idField string, idValue string, timestampStr string, job *model.Job) error

Fetch record via provided Elasticsearch document query.
If the record has a tunnel_parent, search for a UID=tunnel_parent[0]
- If found, discard original record and replace with the new record
If the record has source IP/port and destination IP/port, use it as the filter.
Else if the record has a Zeek x509 "ID" search for the first Zeek record with this ID.
Else if the record has a Zeek file "FUID" search for the first Zeek record with this FUID.
Search for the Zeek record with a matching log.id.uid equal to the UID from the previously found record
- If multiple UIDs exist in the record, use the first UID in the list.
Review the results from the Zeek search and find the record with the timestamp nearest to the original ES ID record and use the IP/port details as the filter.

func (*ElasticEventstore) Search ¶

func (store *ElasticEventstore) Search(ctx context.Context, criteria *model.EventSearchCriteria) (*model.EventSearchResults, error)

func (*ElasticEventstore) Update ¶

func (store *ElasticEventstore) Update(ctx context.Context, criteria *model.EventUpdateCriteria) (*model.EventUpdateResults, error)

type ElasticTransport ¶

type ElasticTransport struct {
	// contains filtered or unexported fields
}

func (*ElasticTransport) RoundTrip ¶

func (transport *ElasticTransport) RoundTrip(req *http.Request) (*http.Response, error)

type FieldDefinition ¶

type FieldDefinition struct {
	// contains filtered or unexported fields
}

type JobLookupHandler ¶

type JobLookupHandler struct {
	web.BaseHandler
	// contains filtered or unexported fields
}

func NewJobLookupHandler ¶

func NewJobLookupHandler(srv *server.Server, store *ElasticEventstore) *JobLookupHandler

func (*JobLookupHandler) HandleNow ¶

func (handler *JobLookupHandler) HandleNow(ctx context.Context, writer http.ResponseWriter, request *http.Request) (int, interface{}, error)

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL